How easy is it for message boards to be hacked?

[Citizen Snips]

I had always read about people's email accounts being hacked, but never thought it would happen to me. I never click on random links and always keep my AV/internet security software up to date. Last week my gmail account was hacked by someone in China, and I've been doing a lot of research trying to figure out where I went wrong.

Luckily the perp didn't cause too much trouble - they just sent a poorly-worded spam message about discount electronics to a number of my contacts. Everything else was left unchaged.

From reading similar stories on google's forums, I've come up with the following:

1. Google claims their servers are secure, and that there is no security hole in/through China. I suppose you could dispute this, but I'm leaning more toward option #2 as the root cause.

2. Aside from the obvious schemes used to steal people's passwords - phishing, keyloggers, etc. another possibility mentioned by a google rep was the issue of other websites being hacked, and the login/password data being stolen, distributed, and used.

This is where I think I went wrong. I had been using the same password for nearly every website, including gmail. This had been the case for the past few years. The password was also only moderately secure - 8 random characters with one uppercase, one letter, and no symbols.

Now I'm starting to wonder which site they likely stole my information from. Are the logins/passwords on vbulletin message boards stored in plain text on the server? What about on social networking sites such as Facebook and Linkedin? What about banks? What about online stores such as Amazon and Newegg? How easy is it to hack each of these websites and steal login/password information? I guess I was under the impression that login/password data was stored encrypted on the servers, but maybe not?

As a temporary measure I've generated 10-character random passwords for every site I visit on a regular basis and written them down on a piece of paper, but I'm not sure what to do in the long term. I've thought about going with keepass, but the idea of never actually remembering my password for each individual website seems kind of strange to me. It also seems like I would need to always carry a USB key drive around with me in case I needed to access any of my websites from a different computer.

There's just no way I would be able to remember a unique 10+ character password for each individual website I visit.

 

[goodcooper]

just because an email appears to be from you doesn't mean your gmail account was hacked.... VERY easy to spoof FROM fields in email headers, and that's exactly what happens

i dunno how many times i've had to explain this to clients

 

[ShadowStriker]

Anything can be brute forced given time.

 

[mattjw916]

Anything can be brute forced given time.

Um yeah... using a similar method to the one used to brute a DES key would take 149 trillion years for AES. Hopefully you will have rotated your keys before they get through at least 50% of the keyspace...

Like cooper said just because your email address is in the sender's field, doesn't mean it actually came from your account or you were "hacked".

 

[jiminator]

some passwords can be found by googling the hash value, believe it or not. OP did say though that emails were sent to his contacts, which would imply getting hacked.

anyway i'd suggest keeping a few different passwords in terms of security. use the same for your different forums. a different one for email and different ones for store/bank sites etc.

biggest risk say, is putting in an email in a forums site, using the same password. if someone gets your forum account they can then go to paypal and try the email/password and see if they can get in.

keep all that stuff separate....

 

[MrGuvernment]

don't use the same password for everything simple as that.

 

[ghost6303]

it depends on the software behind the individual forum if the admins of the board can get users passwords. im not farmiliar with all the more recent versions, but many forum databases do not securely store passwords.

This is where I think I went wrong. I had been using the same password for nearly every website, including gmail. This had been the case for the past few years. The password was also only moderately secure - 8 random characters with one uppercase, one letter, and no symbols.

on the internet the saying is "fool me once, shame on me. fool me twice, shame on me." you have learned why doing this is bad. keepass fits on a microSD card, and microSD to USB adapters are smaller than a postage stamp, so you can easily keep all your passwords on your keys or in your wallet if you need to.

there are also firefox plugins that are useful for using strong passwords. you can also try remembering one, strong password and then salting it with whatever site you are using. for example remember the password "Lx1k8Gn", then

for gmail use the password "Lx1k8GnGmail"
for hardforum, use "Lx1k8Gnhardforum"
for ebay "Lx1k8GneBay"
etc
you have to find the middle ground between being secure and being useful. that depends on how good your memory is and how much you care about security.

 

[Berg0]

some passwords can be found by googling the hash value, believe it or not. OP did say though that emails were sent to his contacts, which would imply getting hacked.

rainbow tables

 

[Vashypooh]

 

[Citizen Snips]

just because an email appears to be from you doesn't mean your gmail account was hacked.... VERY easy to spoof FROM fields in email headers, and that's exactly what happens

i dunno how many times i've had to explain this to clients

When I clicked on the "recent activity" link at the bottom of the Gmail page, it showed two logins from China, so I'm pretty sure the account was hacked in this case. Additionally, the emails appeared in my "sent" folder and several of the later outgoing messages were rejected by gmail due to possible spam. I probably should have said that in the OP.

 

[King Icewind]

All my passwords are centered around two different subjects. All are different, have 10+ characters contain numbers.

Its not hard to remember 12+ passwords for my use. I am naturally good at those kind of things though. I have friends who have me remember their password, because they know I won't forget.

Is it bad if I remember all the passwords from peoples computers I've worked on over the years?

 

[mattjw916]

When I clicked on the "recent activity" link at the bottom of the Gmail page, it showed two logins from China, so I'm pretty sure the account was hacked in this case. Additionally, the emails appeared in my "sent" folder and several of the later outgoing messages were rejected by gmail due to possible spam. I probably should have said that in the OP.

Yeup you were pwned then. Check for malware, change ALL your passwords, stay away from the go4ts3

 

[jiminator]

Just as a fyi, there is a chance you were not hacked at all, but the people in china found some gmail exploit they were able to use to log into your account. this might be done with say a cookie or some browser tricks or something like that. I would think if they hacked your account the first thing they would do would be to change the password.

 

[Red Squirrel]

Most forums use MD5 or some other hash, so they don't actually have the passwords stored in clear text.

That said spammers will and do hack message boards to get everyone's email so they can send to/from them. When a mail comes from you it's most likely spoofed. To show how easy it is to do, try this with an open relay SMTP server:

telnet mail.isp.com 25
helo localhost
mail from:[email protected]
rcpt to:[email protected]
data
subject: test

blah blah blah
.

(I may have gotten that slightly wrong, but you can lookup smtp protocol)

 

[jrdonnaruma]

If the 'recent activity' link on google said there were two login's from china, he was cracked.

OP, I would change grab a password manager (i recommend 1password) use it to create new passwords, different for each account, and create a complex master password for the manager, store it on a USB key, or on the computers you use all the time.

Oh, and change your passwords at least once a year.

 

[JBark]

I had exactly the same thing happen two weeks ago, login from China and a single crappy worded spam sent to contacts. Luckily I was actually online at the time it happened, so was able to get things reset within minutes. The only two PCs are use are completely clean, so my thoughts were the same as the OPs. I know I've signed up for accounts at places using the same password as I had for GMail (even though I know better), so I'm guessing one of those sites got hacked and was storing passwords in an insecure manner.

Oh well, I'd been meaning to start using KeePass, this was a good way to force me.

And I've got to say, the GMail notifier for possible hacked logins is fucking worthless. Like a week later GMail pops up and says "your account may have been hacked". No shit sherlock, completely useless. I wish I could just set it to only allow logins from countries I specify.

 

[Nocturnal]

If you use outdated software you're more susceptible to being hacked.

 

[InvisiBill]

I'm guessing it's the fact that you're using a standard password. While good sites should store only a hash of your password in their database (when you input a password to log in, its hash rather than the actual password is checked against the stored value), not all do. If you use the exact same password on each site, any single compromise equates to a compromise of all of your accounts.

I do what ghost6303 suggested and have a standard base password and add some site-specific stuff onto it. You can also have different base passwords for different levels of security - one for all the random boards you sign up for, one for your good email account(s), and another one for banking and such.

When a mail comes from you it's most likely spoofed. To show how easy it is to do, try this with an open relay SMTP server:

telnet mail.isp.com 25
helo localhost
mail from:[email protected]
rcpt to:[email protected]
data
subject: test

blah blah blah
.

(I may have gotten that slightly wrong, but you can lookup smtp protocol)

Yeah, that's kind of neat to see how everything works behind the scenes, but you can just as easily do the exact same thing by changing the mail server and email address in your email client's settings too.

 

[Citizen Snips]

And I've got to say, the GMail notifier for possible hacked logins is fucking worthless. Like a week later GMail pops up and says "your account may have been hacked". No shit sherlock, completely useless. I wish I could just set it to only allow logins from countries I specify.

I agree 100% with this. I checked the "recent activity" log after being hacked and it turns out the hacker had also accessed my account the day before sending any spam. Gmail didn't even notify me until 2 days after the spam messages were sent.

On a related note, when I click on the "recent activity" link, it shows the type of access made. All of my accessese are either "browser" or "mobile", but the 2 accesses from China are "unknown". What other types of accesses are there? Are they just communicating with the website via a command line script or something?

 

[BurntToast]

http://lastpass.com/

 

[l00segravel]

Basic Password Security Rules:

1. Change ALL of your passwords everyday.
2. ONLY use passwords with at least 1 uppercase, 1 lower case, 1 number, 1 special character, and be between 25-50 characters total.
3. Do NOT use commonly guessed words that are between 25 and 50 characters(like antidisestablishmentarianism)
4. Do not give out your password

Come on, its not THAT hard people...

 

[Red Squirrel]

I would love to send that out in a "all staff" email as the new password policy starting as of Monday, just to see people's reaction. If my IT manager had a sense of humor I'd ask to do it on april fools.

Our users freaked out when we implemented the 90 day rotation and 6 minimum characters. LOL

 

[MooCow]

As an extra layer of security, my stock broker forced all customers to not only login w/ a username and password, but they physically mailed you a secure code card with numbers from 1 - 224, and each number has 3 characters. Every time you login, they ask you to enter two random numbers (totaling 6 characters in a line). Its similar to electronic RSA keys, or grid cards, its just not electronic, but still a physical thing you have to possess to login (or if your memory is THAT GOOD to remember it all!). So say you login w/ your credentials, then the next step displays the two numbers (in captcha!), so you enter something like 3xt0gs blah blah... they were smart w/ the captcha though, so nobody could just write an auto login script and interpret the numbers from the card as you entered them all in the computer.

I believe logmein supports this in the pro version.

Does gmail support any security token/card after you login?

 

[LZ1]

Does gmail support any security token/card after you login?

Gmail supports two factor auth with the paid(premier) version